On Tue, 27 Feb 1996, Paul Leach wrote:
> I made these before, but they may have been lost in the incrementing
> discussion.
>
> 1. A definition of what is "message-body" in section 2.1 needs to be
> given. Does it include entity-headers, general-headers,
> response-headers (when sent by server) or request-headers (when sent by
> client), as well as the entity-body?
I have changed <message-body> to <entity-body> and added the two sentences:
The <entity-body> is the "entity body" as
prescribed in the Hypertext Transfer Protocol. It consists of the
data transferred after the <CRLF><CRLF> signaling the end of the
entity headers.
>
> 2. In the security considerations section, the rationale for including
> client IP in the recommended nonce needs to be given, over just
> checking the IP address of a later request containing a nonce against
> the IP address to which the nonce was originally given. Is it to
> reduce the amount of state that the server needs to hold?
>
It is done so the server can be stateless. As far as I know there
are no stateful implementations of Digest Authentication. I have
added the following sentence to section 3.2
Digesting the client
IP and timestamp in the nonce permits an implementation which does
not maintain state between transactions.
On a related topic, I don't want to move the recommended nonce
construction material to an appendix. This might make sense from
an editorial point of view, but we were explicitly charged with
expanding the nonce section and I want it to be very clear we have
met this charge, not just tacked on an appendix.
John Franks Dept of Math. Northwestern University
john@math.nwu.edu